Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
02-10-2022 14:35
General
-
Target
63b2e086fc133ab32f3f1de0add964be64cad80110308976cb48c51a2ff0adce.exe
-
Size
54KB
-
MD5
6dca863db18526122faeb34d52ba7144
-
SHA1
2e32561043f0b83013bcb61dfa334f44ef5b66b6
-
SHA256
63b2e086fc133ab32f3f1de0add964be64cad80110308976cb48c51a2ff0adce
-
SHA512
a4999a50c32cb6897fc320b23f2745ded82b1eaec606845add20b1330cd3f655a5f1647d9170ffef6210c22ae559a14ef8e3e28971b0013a0768b335f90113b9
-
SSDEEP
1536:gQ7Uv00YEHGTYZzyh9/TNtfQUgNNVNJlkzS:gQ70YEFzgZTNXki+
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 57 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b2e086fc133ab32f3f1de0add964be64cad80110308976cb48c51a2ff0adce.exe"C:\Users\Admin\AppData\Local\Temp\63b2e086fc133ab32f3f1de0add964be64cad80110308976cb48c51a2ff0adce.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\duckload\1.bat3⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\duckload\3.bat""" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\duckload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\duckload\tmp4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\duckload\2.inf4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\duckload\2.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821335⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3380 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\duckload\1.inf5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl4CF.tmpC:\Users\Admin\AppData\Local\Temp\inl4CF.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\63B2E0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD50efedc7e4ccd03346fa1a8d5e0262c1f
SHA18634095f246ec4c3ca4a0d6252282f5bfb9b97ba
SHA2560d96b47234cde864e3e571edfd0664551a146ecb794b2979d9c3daac5fef7e6c
SHA51213db38bcc1e009cb3dd66b0dfd0aab52a96c422e955cad3bbe29babe1a7c0fd809b2f5dd423ed22d5b5441152493da9b2fd480d05f1940f7ead3e44a62e7e425
-
Filesize
1KB
MD57c25a95e3e39bc7988793d8937e5ec4d
SHA16e5b750f250303590e17a7daa22368f4d9f6d4af
SHA256ff44f5f88df90085cb267021cf2bf11b6b775a85eb9c3b3ef6a0454c1a27608c
SHA51230adc313a8c0b14f334c0113a48dc8a0c12efde4e0955ae96fbda4bb757aad051f23dfcd55a5c0dca76fddab47a6fb3e440ea87bbab5acc9561748a7523191dd
-
Filesize
960B
MD55c85ce81bfb5a28f33edd9cb48743233
SHA15521f943791d643afcd6773155c0e0a52520f3fb
SHA25633e516b86c6d5691ef255e802550b74580327e8ecb9aed6c7ac69dd7afa906c6
SHA512d2757c893acbb4ebcd935a18d419e8e61f15c30dc0fe4fe7ea26e6a35b48daabd9afd7aea7ed2dca2e07f9d9f56e8c8a9023f5efa9cfd8c39b8285c69c617bd7
-
Filesize
57.2MB
MD59407fc72eb544ac56fb96570fdbaeb91
SHA15120303357f02f484d6faf74688f8675f06e05be
SHA256458b04634fca3b10bb0f0accd4e6ed416ff4f4cb8ce6c271a485289bf6b0194d
SHA512dabd6fe093a6d138220b31dd77e7c1d4d4677a87d97f34f117f39ef3131a6f5dab7c34dd1c672286bf3459bea9bfe56c6f7a5eb128bc30baa975ccb53912a742
-
Filesize
57.2MB
MD59407fc72eb544ac56fb96570fdbaeb91
SHA15120303357f02f484d6faf74688f8675f06e05be
SHA256458b04634fca3b10bb0f0accd4e6ed416ff4f4cb8ce6c271a485289bf6b0194d
SHA512dabd6fe093a6d138220b31dd77e7c1d4d4677a87d97f34f117f39ef3131a6f5dab7c34dd1c672286bf3459bea9bfe56c6f7a5eb128bc30baa975ccb53912a742
-
Filesize
55B
MD5e191fedc0782635d37e36a8461827974
SHA1523793f1e74d3ae481f5f42783244162efff4bfb
SHA2569ee7d9d0f401b4fd51744d311c071bec10a20bc941385c5502c4eec958ae216f
SHA51270094446f0ff5dac95902f6caabbe82046569f3fd37bf696648ed8213e1330c18b4d1cdfbc59a639aa52fb7c90192b9d3cd0e455660b1b5702d6c3bcdeed7c62
-
Filesize
3KB
MD5493c22f6b15f9766ae7c23794fc77da0
SHA143723ba660dbc1486f717441b58298d33b9f2048
SHA256478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182
SHA512662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5ee3adfdff54a4b36134ba582b98450b5
SHA1a487315615709d00a6c240a116a10be7da7a7cdf
SHA256358052d27b45fb597602fe2a63a652e7753237ce5e16675422ee0820c73066cc
SHA512f7b125c715b6969ce755622734ee57d0022418aae4bdbfb21e171f50bfa4360a2c035996889c35e9764fee8721ebf844423758be90fc75fe3659c8a413c4b4af
-
Filesize
249B
MD5989d5ced1a763799655ef548607bb348
SHA19cce73c2d866f8933b3d68c60517fa3d2f46632d
SHA256625c71f2fd19c0a583a04417992d652e8e6733b32ad599d974c9546a87dda872
SHA512c858c22dbf9eeb07e6c52684b0678bdc40d65d8e58dda43b4aae7c1f88384d73788a792fdc4b5e524676d3e72e0f548b0210a3034dd738eb1085fa510c685f85
-
Filesize
5.8MB
MD50efedc7e4ccd03346fa1a8d5e0262c1f
SHA18634095f246ec4c3ca4a0d6252282f5bfb9b97ba
SHA2560d96b47234cde864e3e571edfd0664551a146ecb794b2979d9c3daac5fef7e6c
SHA51213db38bcc1e009cb3dd66b0dfd0aab52a96c422e955cad3bbe29babe1a7c0fd809b2f5dd423ed22d5b5441152493da9b2fd480d05f1940f7ead3e44a62e7e425
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB